選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 12 KiB

5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
3年前
3年前
3年前
3年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
3年前
5年前
3年前
5年前
3年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348
  1. #!/bin/sh
  2. # THE SETUP
  3. # Mail will be stored in non-retarded Maildirs because it's $currentyear. This
  4. # makes it easier for use with isync, which is what I care about so I can have
  5. # an offline repo of mail.
  6. # The mailbox names are: Inbox, Sent, Drafts, Archive, Junk, Trash
  7. # Use the typical unix login system for mail users. Users will log into their
  8. # email with their passnames on the server. No usage of a redundant mySQL
  9. # database to do this.
  10. # DEPENDENCIES BEFORE RUNNING
  11. # 1. Have a Debian system with a static IP and all that. Pretty much any
  12. # default VPS offered by a company will have all the basic stuff you need. This
  13. # script might run on Ubuntu as well. Haven't tried it. If you have, tell me
  14. # what happens.
  15. # 2. Have a Let's Encrypt SSL certificate for $maildomain. You might need one
  16. # for $domain as well, but they're free with Let's Encypt so you should have
  17. # them anyway.
  18. # 3. If you've been toying around with your server settings trying to get
  19. # postfix/dovecot/etc. working before running this, I recommend you `apt purge`
  20. # everything first because this script is build on top of only the defaults.
  21. # Clear out /etc/postfix and /etc/dovecot yourself if needbe.
  22. # NOTE WHILE INSTALLING
  23. # On installation of Postfix, select "Internet Site" and put in TLD (without
  24. # `mail.` before it).
  25. echo "Setting umask to 0022..."
  26. umask 0022
  27. echo "Installing programs..."
  28. apt install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc
  29. # Check if OpenDKIM is installed and install it if not.
  30. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
  31. domain="$(cat /etc/mailname)"
  32. subdom=${MAIL_SUBDOM:-mail}
  33. maildomain="$subdom.$domain"
  34. certdir="/etc/letsencrypt/live/$maildomain"
  35. [ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain\|*.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)")"
  36. [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
  37. Use Let's Encrypt's Certbot to get that and then rerun this script.
  38. You may need to set up a dummy $maildomain site in nginx or Apache for that to work." && exit 1
  39. # NOTE ON POSTCONF COMMANDS
  40. # The `postconf` command literally just adds the line in question to
  41. # /etc/postfix/main.cf so if you need to debug something, go there. It replaces
  42. # any other line that sets the same setting, otherwise it is appended to the
  43. # end of the file.
  44. echo "Configuring Postfix's main.cf..."
  45. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  46. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  47. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  48. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  49. # Enable, but do not require TLS. Requiring it with other server would cause
  50. # mail delivery problems and requiring it locally would cause many other
  51. # issues.
  52. postconf -e 'smtpd_tls_security_level = may'
  53. postconf -e 'smtp_tls_security_level = may'
  54. # TLS required for authentication.
  55. postconf -e 'smtpd_tls_auth_only = yes'
  56. # Exclude obsolete, insecure and obsolete encryption protocols.
  57. postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  58. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  59. postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  60. postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  61. # Exclude suboptimal ciphers.
  62. postconf -e 'tls_preempt_cipherlist = yes'
  63. postconf -e 'smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL'
  64. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  65. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  66. postconf -e 'smtpd_sasl_auth_enable = yes'
  67. postconf -e 'smtpd_sasl_type = dovecot'
  68. postconf -e 'smtpd_sasl_path = private/auth'
  69. # Sender and recipient restrictions
  70. postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  71. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  72. # command, is necessary as it distinguishes a maildir (which is the actual
  73. # directories that what we want) from a spoolfile (which is what old unix
  74. # boomers want and no one else).
  75. postconf -e 'home_mailbox = Mail/Inbox/'
  76. # A fix referenced in issue #178 - Postfix configuration leaks ip addresses (https://github.com/LukeSmithxyz/emailwiz/issues/178)
  77. # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
  78. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
  79. # strips "Received From:" in sent emails
  80. echo "/^Received:.*/ IGNORE
  81. /^X-Originating-IP:/ IGNORE" >> /etc/postfix/header_checks
  82. # master.cf
  83. echo "Configuring Postfix's master.cf..."
  84. sed -i '/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d' /etc/postfix/master.cf
  85. echo "smtp unix - - n - - smtp
  86. smtp inet n - y - - smtpd
  87. -o content_filter=spamassassin
  88. submission inet n - y - - smtpd
  89. -o syslog_name=postfix/submission
  90. -o smtpd_tls_security_level=encrypt
  91. -o smtpd_sasl_auth_enable=yes
  92. -o smtpd_tls_auth_only=yes
  93. smtps inet n - y - - smtpd
  94. -o syslog_name=postfix/smtps
  95. -o smtpd_tls_wrappermode=yes
  96. -o smtpd_sasl_auth_enable=yes
  97. spamassassin unix - n n - - pipe
  98. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  99. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  100. # files have nice documentation if you want to read it, but it's a huge pain to
  101. # go through them to organize. Instead, we simply overwrite
  102. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  103. # of the original in /usr/share/dovecot if you want.
  104. mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
  105. echo "Creating Dovecot config..."
  106. echo "# Dovecot config
  107. # Note that in the dovecot conf, you can use:
  108. # %u for username
  109. # %n for the name in name@domain.tld
  110. # %d for the domain
  111. # %h the user's home directory
  112. # If you're not a brainlet, SSL must be set to required.
  113. ssl = required
  114. ssl_cert = <$certdir/fullchain.pem
  115. ssl_key = <$certdir/privkey.pem
  116. ssl_min_protocol = TLSv1.2
  117. ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
  118. ssl_prefer_server_ciphers = yes
  119. ssl_dh = </usr/share/dovecot/dh.pem
  120. # Plaintext login. This is safe and easy thanks to SSL.
  121. auth_mechanisms = plain login
  122. auth_username_format = %n
  123. protocols = \$protocols imap
  124. # Search for valid users in /etc/passwd
  125. userdb {
  126. driver = passwd
  127. }
  128. #Fallback: Use plain old PAM to find user passwords
  129. passdb {
  130. driver = pam
  131. }
  132. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  133. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  134. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  135. namespace inbox {
  136. inbox = yes
  137. mailbox Drafts {
  138. special_use = \\Drafts
  139. auto = subscribe
  140. }
  141. mailbox Junk {
  142. special_use = \\Junk
  143. auto = subscribe
  144. autoexpunge = 30d
  145. }
  146. mailbox Sent {
  147. special_use = \\Sent
  148. auto = subscribe
  149. }
  150. mailbox Trash {
  151. special_use = \\Trash
  152. }
  153. mailbox Archive {
  154. special_use = \\Archive
  155. }
  156. }
  157. # Here we let Postfix use Dovecot's authetication system.
  158. service auth {
  159. unix_listener /var/spool/postfix/private/auth {
  160. mode = 0660
  161. user = postfix
  162. group = postfix
  163. }
  164. }
  165. protocol lda {
  166. mail_plugins = \$mail_plugins sieve
  167. }
  168. protocol lmtp {
  169. mail_plugins = \$mail_plugins sieve
  170. }
  171. plugin {
  172. sieve = ~/.dovecot.sieve
  173. sieve_default = /var/lib/dovecot/sieve/default.sieve
  174. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  175. sieve_dir = ~/.sieve
  176. sieve_global_dir = /var/lib/dovecot/sieve/
  177. }
  178. " > /etc/dovecot/dovecot.conf
  179. # If using an old version of Dovecot, remove the ssl_dl line.
  180. case "$(dovecot --version)" in
  181. 1|2.1*|2.2*) sed -i '/^ssl_dh/d' /etc/dovecot/dovecot.conf ;;
  182. esac
  183. mkdir /var/lib/dovecot/sieve/
  184. echo "require [\"fileinto\", \"mailbox\"];
  185. if header :contains \"X-Spam-Flag\" \"YES\"
  186. {
  187. fileinto \"Junk\";
  188. }" > /var/lib/dovecot/sieve/default.sieve
  189. grep -q '^vmail:' /etc/passwd || useradd vmail
  190. chown -R vmail:vmail /var/lib/dovecot
  191. sievec /var/lib/dovecot/sieve/default.sieve
  192. echo 'Preparing user authentication...'
  193. grep -q nullok /etc/pam.d/dovecot ||
  194. echo 'auth required pam_unix.so nullok
  195. account required pam_unix.so' >> /etc/pam.d/dovecot
  196. # OpenDKIM
  197. # A lot of the big name email services, like Google, will automatically reject
  198. # as spam unfamiliar and unauthenticated email addresses. As in, the server
  199. # will flatly reject the email, not even delivering it to someone's Spam
  200. # folder.
  201. # OpenDKIM is a way to authenticate your email so you can send to such services
  202. # without a problem.
  203. # Create an OpenDKIM key in the proper place with proper permissions.
  204. echo 'Generating OpenDKIM keys...'
  205. mkdir -p /etc/postfix/dkim
  206. opendkim-genkey -D /etc/postfix/dkim/ -d "$domain" -s "$subdom"
  207. chgrp opendkim /etc/postfix/dkim/*
  208. chmod g+r /etc/postfix/dkim/*
  209. # Generate the OpenDKIM info:
  210. echo 'Configuring OpenDKIM...'
  211. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  212. echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
  213. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  214. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  215. grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  216. echo '127.0.0.1
  217. 10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
  218. # ...and source it from opendkim.conf
  219. grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
  220. SigningTable refile:/etc/postfix/dkim/signingtable
  221. InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf
  222. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  223. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  224. sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf
  225. grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf
  226. # OpenDKIM daemon settings, removing previously activated socket.
  227. sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  228. # Here we add to postconf the needed settings for working with OpenDKIM
  229. echo 'Configuring Postfix with OpenDKIM settings...'
  230. postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext'
  231. postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
  232. postconf -e "myhostname = $domain"
  233. postconf -e 'milter_default_action = accept'
  234. postconf -e 'milter_protocol = 6'
  235. postconf -e 'smtpd_milters = inet:localhost:12301'
  236. postconf -e 'non_smtpd_milters = inet:localhost:12301'
  237. postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
  238. # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
  239. /lib/opendkim/opendkim.service.generate
  240. systemctl daemon-reload
  241. for x in spamassassin opendkim dovecot postfix; do
  242. printf "Restarting %s..." "$x"
  243. service "$x" restart && printf " ...done\\n"
  244. done
  245. # If ufw is used, enable the mail ports.
  246. pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;}
  247. pval="$(tr -d '\n' </etc/postfix/dkim/"$subdom".txt | sed 's/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//' | grep -o 'p=.*')"
  248. dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
  249. dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
  250. spfentry="$domain TXT v=spf1 mx a:$maildomain -all"
  251. useradd -m -G mail dmarc
  252. echo "$dkimentry
  253. $dmarcentry
  254. $spfentry" > "$HOME/dns_emailwizard"
  255. printf "\033[31m
  256. _ _
  257. | \ | | _____ ___
  258. | \| |/ _ \ \ /\ / (_)
  259. | |\ | (_) \ V V / _
  260. |_| \_|\___/ \_/\_/ (_)\033[0m
  261. Add these three records to your DNS TXT records on either your registrar's site
  262. or your DNS server:
  263. \033[32m
  264. $dkimentry
  265. $dmarcentry
  266. $spfentry
  267. \033[0m
  268. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  269. inputting them in a registrar's web interface.
  270. Also, these are now saved to \033[34m~/dns_emailwizard\033[0m in case you want them in a file.
  271. Once you do that, you're done! Check the README for how to add users/accounts
  272. and how to log in.\n"